If the credentials are stored for some period of time, then an inspection will reveal those stored credentials within the preservation window. Unannounced inspections will then show with high certainty a legitimate validation process.
The auditor can act as a customer and validate whether phony credentials are rejected.
Thanks for agreeing with me?